San Francisco – January 18, 2017– Despite widespread concern about the security of mobile and Internet of Things (IoT) applications, organizations are ill-prepared for the risks they pose, according to a research report issued today from Ponemon Institute, IBM Security, and Arxan Technologies, the trusted provider of application attack prevention and self-protection solutions. The “2017 Study on Mobile and Internet of Things Application Security” aims to illustrate practices and opinions among IT and IT security practitioners.

“The numbers don’t add up. While 60 percent of respondents confirm that their organization has already experienced a data breach caused by an insecure mobile app, and more than half are very concerned about likelihood of an attack, 44 percent are taking no steps to protect their apps,” said Mandeep Khera, Chief Marketing Officer of Arxan. “The laissez-faire attitude toward the security of mobile and IoT applications needs to come to an end and organizations must start emphasizing security in the development process in order to prevent a detrimental attack. One breach can set a company back dramatically in brand damage, financial loss and recovery costs. You have to think of the old idiom - penny wise, pound foolish.”

Key Findings

Many organizations are worried about an attack against mobile and IoT apps that are used in the workplace.
Organizations are having a more difficult time securing IoT apps. Respondents are slightly more concerned about getting hacked through an IoT app (fifty-eight percent) than a mobile app (fifty-three percent). However, despite their concern, organizations are not mobilizing against this threat. Forty-four percent of respondents say they are taking no steps and eleven percent are unsure if their organization is doing anything to prevent such an attack.

Material data breach or cyber attacks have occurred and are reasons for concern.
Sixty percent of respondents know with certainty (eleven percent), most likely (fifteen percent) or likely (thirty-four percent) that their organization had a security incident because of an insecure mobile app. Respondents are less certain whether their organization has experienced a material data breach or cyber attack due to an insecure IoT app. Forty-six percent of respondents say with certainty (four percent), most likely (eleven percent) or likely (thirty-one percent).

Despite the risk, there is a lack urgency to address the threat.
Only thirty-two percent of respondents say their organization urgently wants to secure mobile apps and forty-two percent of respondents say it is urgent to secure IoT apps.

“Factors revealed in this study may help to explain the lack of urgency,” said Dr. Larry Ponemon, Chair and Founder of Ponemon Institute. “Respondents voiced minimal budget allocation, and those responsible for stopping attacks are not in the security function, but rather other lines of business. Without proper budget or oversight, these threats aren’t being taken seriously and it should come as no surprise for mobile and IoT applications to be the culprit of major data breaches to come.”

Not enough resources are being allocated...yet.
Only thirty percent of respondents say their organization allocates sufficient budget to protect mobile apps and IoT devices. If they had a serious hacking incident, their organizations would consider increasing the budget (fifty-four percent of respondents). Other reasons to increase the budget are if new regulations were issued (forty-six percent of respondents) or media coverage of a serious hacking incident affecting another company occurred (twenty-five percent of respondents).

"Mobile and IoT applications continue to be released at a rapid pace to meet user demand. If security isn't designed into these apps there could be significant negative impacts,” said Diana Kelley, Global Executive Security Advisor, IBM Security. “Organizations are at risk and cybercriminals know where the soft spots are. Raising awareness of application security in the enterprise is a critically important first step toward a more secure future for businesses and consumers.”

These issues are not insurmountable. Solutions are available and organizations can implement the right tools for proper protection. IBM and Arxan offer an end-to-end enterprise solution to help defend all aspects of mobile and IoT applications.

About IBM Security
IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force® research, enables organizations to effectively manage risk and defend against emerging threats. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 35 billion security events per day in more than 130 countries, and holds more than 3,000 security patents. For more information, please visit www.ibm.com/security, follow @IBMSecurity on Twitter or visit the IBM Security Intelligence blog.

About the Ponemon Institute
Ponemon Institute conducts independent research on privacy, data protection and information security policy. Our goal is to enable organizations in both the private and public sectors to have a clearer understanding of the trends in practices, perceptions and potential threats that will affect the collection, management and safeguarding of personal and confidential information about individuals and organizations. Ponemon Institute research informs organizations on how to improve upon their data protection initiatives and enhance their brand and reputation as a trusted enterprise. For more information, please visit http://www.ponemon.org/.

About Arxan Technologies
Arxan is the trusted global leader of Application Protection and Management products for Internet of Things (IoT), Mobile, Desktop, and other platforms for consumer, employee, and B2B applications. We help customers distribute, and manage applications and protect against financial loss, brand damage, fraud, IP theft, stolen credentials, fraudulent transactions, unauthorized access, non-compliance with regulatory and industry standards, and more. We are currently protecting applications running on more than 500 million devices across a range of industries, including: financial services, automotive (connected automobiles), healthcare (connected medical devices), digital media, gaming, high tech/independent software vendors (ISVs), and others. The company’s headquarters and engineering operations are based in the United States with global offices in EMEA and APAC. Learn more at www.arxan.com.